Tech News

Bad Epoll: The Linux Kernel Flaw That Can Root Android, and Mythos Missed It

A Linux kernel flaw dubbed Bad Epoll (CVE-2026-46242) lets a regular local user, with no special privileges at all, gain root access. It affects desktops, servers… and even Android! Here’s what we know about this vulnerability and how to protect yourself.

A Six-Instruction Window to Root Access

Before discussing the vulnerability, let’s start with a reminder. Epoll is a Linux kernel mechanism: it allows a program to monitor a large number of file descriptors or network connections at the same time. You should not think about disabling it blindly to protect yourself from the vulnerability discussed in this article, because it is used by many components, including network services, web browsers, and more. You could end up breaking everything.

Bad Epoll is a use-after-free bug (which means using memory after it has been freed) caused by a race condition. The flaw works like this: when an epoll object is torn down, two kernel operations collide. One frees a memory structure while the other is still using it. The result is a use-after-free, in other words, a write into a memory area that has already been freed. The initial corruption is minor (a few bytes in the wrong place), but Chung manages to turn it into much broader takeover by exploiting the way Linux recycles memory.

That said, the race condition still has to be hit: the window where the two operations overlap lasts only about six machine instructions. That is very little, and yet that is exactly when the attacker must act. In practice, Jaeyoung Chung’s exploit widens the window artificially and retries the attempt in a loop without ever crashing the system, resulting in a success rate of around 99% on the tested machines. With that kind of hit rate, the race condition is barely a constraint anymore.

This finding was submitted as a 0-day to Google’s kernelCTF program, whose rewards start at $71,337. Beyond affecting Linux, including desktop environments, this vulnerability also affects Android. That is unusual, since Linux kernel flaws discovered recently have never affected Android.

Here are the details Chung provided about this flaw:

  • It can be triggered from Chrome’s isolated renderer process, which blocks nearly all other kernel exploits. In theory, an attacker who already has code execution in that renderer through another browser flaw could chain Bad Epoll to fully escape the sandbox. As of now, however, no such complete chain has been published.
  • It affects Android, which most Linux privilege escalations fail to do. Of the roughly one hundred vulnerabilities exploited through kernelCTF, only about ten are candidates for rooting an Android device. Bad Epoll is one of them.

Mythos AI Found the Twin Flaw, Not Bad Epoll

This vulnerability also brings us to Claude Mythos. Indeed, a single 2023 commit (58c9b016e128, April 2023) introduced not one but two distinct race conditions across about 2,500 lines of epoll code.

According to Chung, the first one was identified by Mythos and linked to CVE-2026-43074, with a fix released earlier in 2026. However, Anthropic has never confirmed this information: the AI company said that Mythos had uncovered Linux kernel privilege escalation flaws, but did not publicly connect that work to the discovery of this flaw.

If that is indeed the case, it means Claude Mythos managed to identify a particularly hard-to-detect race condition flaw. However, Mythos missed the Bad Epoll flaw discovered by researcher Jaeyoung Chung. Chung offers two possible explanations, while making it clear that no one can know for sure:

  • A tiny timing window. With only six instructions, the exact thread interleaving is difficult to visualize, even when staring directly at the code.
  • Few runtime traces. Once CVE-2026-43074 is patched, the Bad Epoll use-after-free usually does not trigger KASAN, the kernel’s main memory error detector. So nothing clearly signals that something is wrong.

The Fix for Bad Epoll: A Security Patch

How can you protect yourself from the Bad Epoll flaw? That is the question after reading this article. Most importantly, Epoll cannot simply be disabled without consequences for the machine. So that is not an option, unlike what could be recommended for other flaws.

To know whether you are affected, it depends on the kernel version:

  • Affected: distributions and devices running a Linux kernel based on version 6.4 or later, as long as the patch has not been applied.
  • Unaffected: kernels based on 6.1, since the flaw was introduced in 6.4. This includes some Android phones still on 6.1.

To protect yourself, you need to use a Linux kernel version where commit a6dc643c6931 has been applied. You should check with the support team for each distribution, especially regarding CVE-2026-46242. For example, Debian 13 benefits from the 6.12.95-1 update, while older versions are not affected (because they use Linux kernel 6.1).

Let’s end with some good news: there is no indication of active exploitation in the wild. The flaw does not appear on CISA’s list of actively exploited vulnerabilities, and the only known working code remains the PoC submitted to kernelCTF.

To learn more, read the public writeup by Jaeyoung Chung.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.